'Socialbots' Invade Facebook: Cull 250GB of Private Data

Facebook was recently invaded by a robot army created by four researchers to demonstrate the ease at which online social networks can be maliciously exploited by the unscrupulous.

With a horde of 102 bogus Facebook friends, the University of British Columbia researchers showed that they could harvest personal information on members not publically available on the social network and that its defenses were inadequate to cope with a large scale infiltration.

During the course of an eight week campaign on Facebook, the researchers gathered 250GB of information from thousands of the social network's members. Their "sockpuppet" bots were "friended" by more than 3000 members and the network reached more than a million profiles.

To launch their mischief on Facebook, the quartet—Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, and Matei Ripeanu—used a new breed of botnet called a socialbot. What distinguishes a socialbot from other kinds of bots is that it's designed to pass itself off as a human being. That allows it to obtain a privileged position in an online social network (OSN). In the case of Facebook, that position would be "friend."

"As socialbots infiltrate a targeted OSN, they can further harvest private users' data such as e-mail addresses, phone numbers, and other personal data that have monetary value," the researchers explained in a paper they plan to present next week month at the Security Applications Conference [PDF] in Orlando, Fla.

"To an adversary, such data are valuable and can be used for online profling and large-scale email spam and phishing campaigns," they continued. "It is thus not surprising that different kinds of socialbots are being offered for sale in the Internet black-market for as much as $29 per bot."

One of the reasons that the researchers targeted Facebook was that they believed it would be tougher to crack than other online social networks. That proved not to be the case. For example, the Facebook Immune System (FIS), which is designed to foil malicious activity on the service, only flagged 20 of the socialbotnet's phony personalities. What's more, the only reason those identities were earmarked was because users complained about them as spam.

"In fact, we did not observe any evidence that the FIS detected what was really going on other than relying on users' feedback, which seems to be an essential but potentially dangerous component of the FIS," the researchers wrote.

In a statement released to the media, Facebook disputed the researchers' findings because their attacks originated from a trusted university address. It also said that it was able to disable more of the bogus accounts faster than the researchers claimed in their paper. “We have serious concerns about the methodology of the research by the University of British Columbia and we will be putting these concerns to them," a spokesman for the company said.

Earlier this year, the hacker collective known as Anonymous, based on emails it robbed from defense contractor HBGary Federal, alleged that the military had plans to infiltrate social networks, like Facebook, with phony cyber personalities with the intent to gather information for arresting dissidents and activists who operate anonymously online.

Those allegations were given credence later when the U.S. Central Command awarded a $2.7 million contract to a company named Ntrepid for creating software to create phony online personas to infiltrate social networking sites where terrorists are recruiting manpower and soliciting funds.